network icon indicating copy to clipboard operation
network copied to clipboard
verified publisher icon ory

ory.sh: Could not find they TOTP key in the internal context

Open udf2457 opened this issue 1 year ago • 12 comments

Preflight checklist

Ory Network Project

No response

Describe the bug

Not very impressive !

Received this error when I tried to enable 2FA on Ory's own website !

An error occured An unexpected error has occurred. If the problem persists please contact [email protected]. Could not find they TOTP key in the internal context. This is a code bug and should be reported to https://github.com/ory/kratos/.

Reproducing the bug

  1. Create new account
  2. Scan QR code
  3. Click submit/save
  4. Observe error

Relevant log output

No response

Relevant configuration

No response

Version

Ory website

On which operating system are you observing this issue?

None

In which environment are you deploying?

None

Additional Context

No response

udf2457 avatar May 06 '24 11:05 udf2457

Hi, thanks for the report. In which browser did you observe the issue?

jonas-jonas avatar May 07 '24 09:05 jonas-jonas

Hi

Brave (a.k.a. Chrome)

udf2457 avatar May 07 '24 09:05 udf2457

I was not able to reproduce this issue with the steps you provided. Can you please provide a reproducible case? Thank you!

aeneasr avatar Jun 18 '24 11:06 aeneasr

We're seeing this error as well, with some users. Microsoft Edge-browser. Attached the screenshot given user sent.

Image

dirksierd avatar Feb 10 '25 12:02 dirksierd

Today the same as @dirksierd mentioned, an other client:

"error": {
"code": 500,
"message": "An internal server error occurred, please contact the
system administrator",
"reason": "Could not find they TOTP key in the internal context...."

This client mentioned that he used "Google Authenticator"

rvzug avatar Feb 10 '25 16:02 rvzug

Can you please provide reproducible steps?

aeneasr avatar Feb 10 '25 17:02 aeneasr

Hi @aeneasr, i've tought on your request for STR for a while. The problem is, that is is user-dependant. We have two cases (@dirksierd and mine) but both cases need a validated e-mailadres to reproduce the error. And I can't/won't share the password and e-mailadress. If I change the e-mailadress, it just works normally.

STR:

  1. Register the user by the requirements of the user-schema (I won’t publicly share the schema, but can share it in private)
  2. Receive the e-mail verification and enter it in the UI
  3. User is logged in the UI and can register a 2FA TOTP
  4. User scans the QR-code with Microsoft Authenticator (user 1) or Google Authenticator (user 2)
  5. User enters the 6-digit code in the verification field
  6. User presses Save
  7. Error occurs: Could not find they TOTP key in the internal context

Isn't it possible to reverse engeneer the issue based on the error-message? And provide us hints about what could be going wrong?

I've validated a couple of times that the returned code of app is right. When I enter a wrong 6-digit code, the normal behaviour is seen. So I guess that the code is validated succesfully, but than the error is served. My guess would be:

  1. code is succesfully validated
  2. key/token/whatever is NOT saved
  3. some process can't find the TOTP key (eg. webhook-call?) in context

rvzug avatar Feb 13 '25 17:02 rvzug

The error message suggests that there is a problem in the settings flow. So for example:

  1. User opens settings
  2. User changes email
  3. Then tries to add TOTP
  4. See error

If you could narrow down which interaction is causing the problem we can probably find the problem quickly!

aeneasr avatar Feb 13 '25 18:02 aeneasr

Today an other user (user 3) have seen the same error message. We've repeated the STR from scratch. I've validated that the user did not change the e-mail/other information, did not used any submit-button in the UI, other than the TOTP-submit-button.

Still the error is shown right after saving the TOTP-validation code in the UI.

I did check: The Ory Dashboard does indicate that the TOTP is set succesfully for this user.

@dirksierd can you validate that there are no changes trough any API that could interfer? I don't see any webhooks related to this in our configuration, though.

rvzug avatar Feb 14 '25 18:02 rvzug

I believe this to be a dupe of: https://github.com/ory/kratos/issues/2401

aeneasr avatar Feb 14 '25 18:02 aeneasr

I've tried many different routes, but cannot reproduce. Linking and unlinking the TOTP-method works without problem as well.

Here's the steps with a bit more detail…

  1. Go to our app
  2. Press the 'login'-button
  3. Get redirected to the Ory-hosted UI for our project (with ?return_to=APP_URL)
  4. Choose 'sign up' and complete sign up flow (which has a webhook-check on POST)
  5. Get redirected back to our app when succesfull
  6. See a notice that AAL2 is required, with a button to go do so
  7. Press the button (to: /ui/settings?return_to=APP_URL#totp) – creating a new flow
  8. Usually: user links TOTP and gets redirected back, able to use the app
  9. Sometimes: get the aforementioned error when trying to link TOTP

Ticket 2401 talks about logging in and out in-between. We could try that, but not sure. Step 7 tells me we're not re-using a flow to set the TOTP. It's a newly created flow.

dirksierd avatar Feb 14 '25 23:02 dirksierd

We're still running into this issue. Could we perhaps go private to discuss with a set of given credentials, that's seeing this issue consistently?

dirksierd avatar Jun 18 '25 03:06 dirksierd